refactor(standardize): fix sudoers lecture syntax, extract ssh config, remove redundant os filters

2026-02-13 00:20:59 +01:00
parent af5eecfc01
commit eeb580f180
17 changed files with 67 additions and 62 deletions
--- a/roles/configuration/tasks/banner.yml
+++ b/roles/configuration/tasks/banner.yml
@@ -26,30 +26,25 @@
 - name: Configure sudo banner
  when: system_cfg.features.banner.sudo | bool
  block:
-    - name: Create sudoers banner directory
-      ansible.builtin.file:
-        path: /mnt/etc/sudoers.d
-        state: directory
-        mode: "0755"
-        owner: root
-        group: root
-
-    - name: Create sudo banner file
+    - name: Create sudo lecture file
      ansible.builtin.copy:
        content: |
          I am Groot, and I know what I'm doing.
-        dest: /mnt/etc/sudoers.d/banner
+        dest: /mnt/etc/sudo_lecture
        mode: "0644"
        owner: root
        group: root

-    - name: Enable sudo banner in sudoers
+    - name: Enable sudo lecture in sudoers
      ansible.builtin.lineinfile:
        path: /mnt/etc/sudoers
-        line: "Defaults lecture=@/etc/sudoers.d/banner"
+        line: "{{ item }}"
        state: present
        create: true
        mode: "0440"
        owner: root
        group: root
        validate: "/usr/sbin/visudo --check --file=%s"
+      loop:
+        - "Defaults lecture=always"
+        - "Defaults lecture_file=/etc/sudo_lecture"